Host Scanner Changelog
This is the list of version numbers of the Cryptosense Host Scanner. Each version number is shown with a list of changes brought by that version.
0.9.6 - 2022-09-15
Changed
- [PEM] Extract all certificates from concatenated PEM files.
Added
- [General] Added the
--password
option to try the decryption of PBE encrypted informations. - [PKCS#12] Extract content of
Data
items. - [PKCS#12] Extract content of
EncryptedData
items if--password
is provided and decryption succeeds.- Support of
PBES2
encryption withpbkdf2
as KDF,AES-(128/192/256)-(ECB/CBC)
and3DES-CBC
as encryption schemes. - Other algorithms are not decrypted but the algorithm names are exported for analysis.
- Support of
0.9.5 - 2022-06-28
Changed
- Deprecate the
--include-keys
option. Keys are now included by default. - Detect PEM blocks preceded by some plain text, up to 32 kiB after the beginning of the file. Previously PEM content was only detected at the beginning of a file.
Added
- Detect JCEKS keystores and extract their content, if unencrypted.
- Add support for Windows.
Fixed
- Fix crash on certificates containing invalid UTF-8 strings inside distinguished names.
- Fix crash on some malformed PGP keys.
- Increase robustness of scanner against parsing bugs by making it recover and continue scanning.
- Fix a situation where some combinations of command-line options caused the same parser modules to be applied to files more than once.
- Ensure correct JSON encoding of the trace header (e.g. correct escaping of
\
characters in Windows file paths). - Fix crash on keystore private key entries with empty certificate chains.
- Fix failure to detect PEM files with Windows CRLF line endings.
- Fix crash on some special files where true and reported file lengths differ (e.g. in
/sys
).
0.9.4 - 2022-04-08
Changed
- Change the
--max-file-size
option to interpret0
as "no size limit". Any strictly positive value is interpreted the same way as before (file cutoff in bytes).
Fixed
- Improve encoding of certificate serial numbers so that such certificates have a better chance of being correctly matched with certificates coming from other sources such as the Java Tracer.
- Improve performance of scanning:
- Improve detection of ASN.1 files to reduce memory usage and time spent in scans.
- Exclude CPIO and system map files from scan.
0.9.3 - 2022-03-02
Added
- Add option
--max-file-size
to change the size limit for scanned files. The default value is 1 MB.
Changed
- Limit the amount of data read from any single file to 1 MB by default. This avoids performance issues when large files are mistaken for ASN.1 files.
Fixed
- Prevent the host scanner from missing some files when
/sys
is in the scope of the scan, even if those files are outside of/sys
.
0.9.2 - 2022-02-01
Added
- Add initial support for PKCS#12 keystores
Changed
- Fix host name for Docker image scans: it now reports the image name.
0.9.1 - 2021-10-29
Fixed
- Fix container image file locations to not contain the temporary prefix used for scanning
(e.g.
/etc/ssl/cert.pem
instead of/tmp/tmp_name/etc/ssl/cert.pem
).
0.9.0 - 2021-10-13
Added
- Add initial support for PGP keys.
0.8.0 - 2021-08-04
Fixed
- Catch and handle "end of file" errors coming from the Java static scanner if it is used in combination with the host scanner.
0.7.1 - 2021-07-29
Added
- Add on-the-fly gzip compression of scans.
Fixed
- Fix stack overflow when scanning files with a large number of line breaks.
- Improve error message when the host scanner is used in combination with the Java static scanner.
Changed
- Rename CLI option
--static_scanner_path
to--static-scanner-path
- Rename CLI option
--image_name
to--image-name
0.7.0 - 2021-07-09
Added
- Add Docker image scanning.
0.6.0 - 2021-06-11
Added
- Add support for EC and DSA private keys and certificates.
- Add support for DER encoding.
- Include encoded certificates in the scan file.
0.5.0 - 2021-04-16
Added
- Add hard-coded strings parsing of JAR files.
0.4.0 - 2021-02-10
Added
- Add parsing of JKS keystores.
0.3.0 - 2020-04-27
Added
- Add a progress bar showing the number of files scanned.
Changed
- Change log level of "Unknown OID" message from warning to debug.
Fixed
- Improve performance on large directory trees: less RAM usage, less computing and fewer syscalls.
- Fix file being counted twice, and potential infinite loop, by not following symbolic links.
- Fix freeze on files without an end, such as some special files in
/sys/kernel
.
0.2.0 - 2020-04-16
Changed
- Make host scanner a lot less verbose by default.
Fixed
- Fix stack overflow when scanning large directories.
Added
- Add
--verbose
and--quiet
options to control the verbosity.
0.1.0 - 2020-04-07
Initial release.